rpm/pam
SHA256
1
0
Fork 0
forked from pool/pam
Code Pull Requests Activity

- Update to current git (Linux-PAM-git-20140127.diff), which

Browse Source 
obsoletes pam_loginuid-part1.diff, pam_loginuid-part2.diff and
  Linux-PAM-git-20140109.diff.
  - Fix gratuitous use of strdup and x_strdup
  - pam_xauth: log fatal errors preventing xauth process execution
  - pam_loginuid: cleanup loginuid buffer initialization
  - libpam_misc: fix an inconsistency in handling memory allocation errors
  - pam_limits: fix utmp->ut_user handling
  - pam_mkhomedir: check and create home directory for the same user
  - pam_limits: detect and ignore stale utmp entries
- Disable pam_userdb (remove db-devel from build requires)

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=134
This commit is contained in:
Thorsten Kukuk 2014-01-27 14:48:02 +00:00 committed by Git OBS Bridge
parent 9e8981cb04
commit fbe6371c54
6 changed files with 1032 additions and 464 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

268
Linux-PAM-git-20140109.diff
View File

@ -1,268 +0,0 @@
--- old/Linux-PAM-1.1.8/modules/pam_access/pam_access.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_access/pam_access.c 2014-01-09 16:28:39.000000000 +0100
@@ -573,7 +573,7 @@
if (debug)
pam_syslog (pamh, LOG_DEBUG,
- "group_match: grp=%s, user=%s", grptok, usr);
+ "group_match: grp=%s, user=%s", tok, usr);
if (strlen(tok) < 3)
return NO;
--- old/Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_lastlog/pam_lastlog.c 2013-11-28 11:37:54.000000000 +0100
@@ -628,7 +628,8 @@
lltime = (time(NULL) - lltime) / (24*60*60);
if (lltime > inactive_days) {
- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
+ user, (long) lltime);
return PAM_AUTH_ERR;
}
--- old/Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_loginuid/pam_loginuid.c 2013-11-28 11:37:54.000000000 +0100
@@ -52,10 +52,10 @@
static int set_loginuid(pam_handle_t *pamh, uid_t uid)
{
int fd, count, rc = 0;
- char loginuid[24];
+ char loginuid[24], buf[24];
count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
if (errno != ENOENT) {
rc = 1;
@@ -64,8 +64,13 @@
}
return rc;
}
- if (pam_modutil_write(fd, loginuid, count) != count)
+ if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
+ memcmp(buf, loginuid, count) == 0)
+ goto done; /* already correct */
+ if (lseek(fd, 0, SEEK_SET) == -1 || (ftruncate(fd, 0) == -1 ||
+ pam_modutil_write(fd, loginuid, count) != count))
rc = 1;
+ done:
close(fd);
return rc;
}
--- old/Linux-PAM-1.1.8/modules/pam_securetty/pam_securetty.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_securetty/pam_securetty.c 2013-11-28 11:37:54.000000000 +0100
@@ -159,11 +159,10 @@
if (cmdlinefile != NULL) {
char line[LINE_MAX], *p;
- line[0] = 0;
- fgets(line, sizeof(line), cmdlinefile);
+ p = fgets(line, sizeof(line), cmdlinefile);
fclose(cmdlinefile);
- for (p = line; p; p = strstr(p+1, "console=")) {
+ for (; p; p = strstr(p+1, "console=")) {
char *e;
/* Test whether this is a beginning of a word? */
--- old/Linux-PAM-1.1.8/modules/pam_unix/pam_unix_passwd.c 2013-09-16 11:09:47.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/pam_unix_passwd.c 2013-11-12 13:05:47.000000000 +0100
@@ -614,7 +614,8 @@
if (_unix_blankpasswd(pamh, ctrl, user)) {
return PAM_SUCCESS;
- } else if (off(UNIX__IAMROOT, ctrl)) {
+ } else if (off(UNIX__IAMROOT, ctrl) ||
+ (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
/* instruct user what is happening */
if (asprintf(&Announce, _("Changing password for %s."),
user) < 0) {
@@ -795,6 +796,29 @@
* rebuild the password database file.
*/
+
+ /* if it is a NIS account, check for special hash algo */
+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
+ /* preset encryption method with value from /etc/login.defs */
+ int j;
+ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
+ if (val) {
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+ if (unix_args[j].token && unix_args[j].is_hash_algo
+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
+ break;
+ }
+ }
+ if (j >= UNIX_CTRLS_) {
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
+ } else {
+ ctrl &= unix_args[j].mask; /* for turning things off */
+ ctrl |= unix_args[j].flag; /* for turning things on */
+ }
+ free (val);
+ }
+ }
+
/*
* First we encrypt the new password.
*/
--- old/Linux-PAM-1.1.8/modules/pam_unix/README 2013-09-19 10:02:20.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/README 2014-01-09 16:29:02.000000000 +0100
@@ -36,7 +36,8 @@
The password component of this module performs the task of updating the user's
password. The default encryption hash is taken from the ENCRYPT_METHOD variable
-from /etc/login.defs
+from /etc/login.defs. For NIS accounts, the ENCRYPT_METHOD_NIS variable from /
+etc/login.defs is preferred.
The session component of this module logs when a user logins or leave the
system.
--- old/Linux-PAM-1.1.8/modules/pam_unix/support.c 2013-09-16 11:11:51.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/support.c 2013-11-12 13:05:24.000000000 +0100
@@ -37,8 +37,8 @@
#define SELINUX_ENABLED 0
#endif
-static char *
-search_key (const char *key, const char *filename)
+char *
+_unix_search_key (const char *key, const char *filename)
{
FILE *fp;
char *buf = NULL;
@@ -159,7 +159,7 @@
}
/* preset encryption method with value from /etc/login.defs */
- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {
if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -177,7 +177,7 @@
/* read number of rounds for crypt algo */
if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
if (val) {
*rounds = strtol(val, NULL, 10);
--- old/Linux-PAM-1.1.8/modules/pam_unix/support.h 2013-06-18 16:24:05.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/support.h 2013-11-12 13:05:04.000000000 +0100
@@ -97,8 +97,9 @@
password hash algorithms */
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
+#define UNIX_DES 28 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -135,6 +136,7 @@
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
@@ -172,4 +174,5 @@
extern int _unix_run_verify_binary(pam_handle_t *pamh,
unsigned int ctrl, const char *user, int *daysleft);
+extern char *_unix_search_key(const char *key, const char *filename);
#endif /* _PAM_UNIX_SUPPORT_H */
--- old/Linux-PAM-1.1.8/modules/pam_warn/pam_warn.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_warn/pam_warn.c 2013-11-28 11:37:54.000000000 +0100
@@ -33,7 +33,7 @@
value = value ? value : default_value ; \
} while (0)
-static void log_items(pam_handle_t *pamh, const char *function)
+static void log_items(pam_handle_t *pamh, const char *function, int flags)
{
const void *service=NULL, *user=NULL, *terminal=NULL,
*rhost=NULL, *ruser=NULL;
@@ -45,8 +45,8 @@
OBTAIN(PAM_RHOST, rhost, "<unknown>");
pam_syslog(pamh, LOG_NOTICE,
- "function=[%s] service=[%s] terminal=[%s] user=[%s]"
- " ruser=[%s] rhost=[%s]\n", function,
+ "function=[%s] flags=%#x service=[%s] terminal=[%s] user=[%s]"
+ " ruser=[%s] rhost=[%s]\n", function, flags,
(const char *) service, (const char *) terminal,
(const char *) user, (const char *) ruser,
(const char *) rhost);
@@ -55,52 +55,52 @@
/* --- authentication management functions (only) --- */
PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
/* password updating functions */
PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_close_session(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}

1015
Linux-PAM-git-20140127.diff Normal file
View File

File diff suppressed because it is too large Load Diff

15
pam.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Mon Jan 27 15:14:34 CET 2014 - kukuk@suse.de
- Update to current git (Linux-PAM-git-20140127.diff), which
obsoletes pam_loginuid-part1.diff, pam_loginuid-part2.diff and
Linux-PAM-git-20140109.diff.
- Fix gratuitous use of strdup and x_strdup
- pam_xauth: log fatal errors preventing xauth process execution
- pam_loginuid: cleanup loginuid buffer initialization
- libpam_misc: fix an inconsistency in handling memory allocation errors
- pam_limits: fix utmp->ut_user handling
- pam_mkhomedir: check and create home directory for the same user
- pam_limits: detect and ignore stale utmp entries
- Disable pam_userdb (remove db-devel from build requires)
-------------------------------------------------------------------
Fri Jan 10 10:56:24 UTC 2014 - kukuk@suse.com

9
pam.spec
View File

@ -24,7 +24,6 @@ Url: http://www.linux-pam.org/
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: cracklib-devel
BuildRequires: db-devel
BuildRequires: flex
#BuildRequires: pkgconfig(libtirpc)
%if %{enable_selinux}
@ -53,9 +52,7 @@ Source7: common-session.pamd
Source8: etc.environment
Source9: baselibs.conf
Patch0: fix-man-links.dif
Patch1: Linux-PAM-git-20140109.diff
Patch2: pam_loginuid-part1.diff
Patch3: pam_loginuid-part2.diff
Patch1: Linux-PAM-git-20140127.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -101,8 +98,6 @@ building both PAM-aware applications and modules for use with PAM.
%setup -q -n Linux-PAM-%{version} -b 1
%patch0 -p1
%patch1 -p2
%patch2 -p1
%patch3 -p1
%build
export CFLAGS="%optflags -DNDEBUG"
@ -275,7 +270,7 @@ install -m 644 NEWS COPYING $DOC
/%{_lib}/security/pam_unix_auth.so
/%{_lib}/security/pam_unix_passwd.so
/%{_lib}/security/pam_unix_session.so
/%{_lib}/security/pam_userdb.so
#/%{_lib}/security/pam_userdb.so
/%{_lib}/security/pam_warn.so
/%{_lib}/security/pam_wheel.so
/%{_lib}/security/pam_xauth.so

115
pam_loginuid-part1.diff
View File

@ -1,115 +0,0 @@
commit 5825450540e6620ac331c64345b42fdcbb1d6e87
Author: Dmitry V. Levin <ldv@altlinux.org>
Date: Wed Jan 8 15:53:30 2014 -0800
pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist
When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
PAM_SUCCESS, so that we can distinguish between "loginuid set
successfully" and "loginuid not set, but this is expected".
Suggested by Steve Langasek.
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
does not exist, PAM_SESSION_ERR in case of any other error.
(_pam_loginuid): Forward the PAM error code returned by set_loginuid.
modules/pam_loginuid/pam_loginuid.c | 43 ++++++++++++++++++++++------------
1 files changed, 28 insertions(+), 15 deletions(-)
---
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
index a903845..96f8ffa 100644
--- a/modules/pam_loginuid/pam_loginuid.c
+++ b/modules/pam_loginuid/pam_loginuid.c
@@ -47,29 +47,35 @@
/*
* This function writes the loginuid to the /proc system. It returns
- * 0 on success and 1 on failure.
+ * PAM_SUCCESS on success,
+ * PAM_IGNORE when /proc/self/loginuid does not exist,
+ * PAM_SESSION_ERR in case of any other error.
*/
static int set_loginuid(pam_handle_t *pamh, uid_t uid)
{
- int fd, count, rc = 0;
+ int fd, count, rc = PAM_SESSION_ERR;
char loginuid[24], buf[24];
count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
- if (errno != ENOENT) {
- rc = 1;
+ if (errno == ENOENT) {
+ rc = PAM_IGNORE;
+ } else {
pam_syslog(pamh, LOG_ERR,
"Cannot open /proc/self/loginuid: %m");
}
return rc;
}
+
if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
- memcmp(buf, loginuid, count) == 0)
+ memcmp(buf, loginuid, count) == 0) {
+ rc = PAM_SUCCESS;
goto done; /* already correct */
- if (lseek(fd, 0, SEEK_SET) == -1 || (ftruncate(fd, 0) == -1 ||
- pam_modutil_write(fd, loginuid, count) != count))
- rc = 1;
+ }
+ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
+ pam_modutil_write(fd, loginuid, count) == count)
+ rc = PAM_SUCCESS;
done:
close(fd);
return rc;
@@ -170,6 +176,7 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
{
const char *user = NULL;
struct passwd *pwd;
+ int ret;
#ifdef HAVE_LIBAUDIT
int require_auditd = 0;
#endif
@@ -188,9 +195,14 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
return PAM_SESSION_ERR;
}
- if (set_loginuid(pamh, pwd->pw_uid)) {
- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n");
- return PAM_SESSION_ERR;
+ ret = set_loginuid(pamh, pwd->pw_uid);
+ switch (ret) {
+ case PAM_SUCCESS:
+ case PAM_IGNORE:
+ break;
+ default:
+ pam_syslog(pamh, LOG_ERR, "set_loginuid failed");
+ return ret;
}
#ifdef HAVE_LIBAUDIT
@@ -200,11 +212,12 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
argv++;
}
- if (require_auditd)
- return check_auditd();
- else
+ if (require_auditd) {
+ int rc = check_auditd();
+ return rc != PAM_SUCCESS ? rc : ret;
+ } else
#endif
- return PAM_SUCCESS;
+ return ret;
}
/*
_______________________________________________
linux-pam-commits mailing list
linux-pam-commits@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits

74
pam_loginuid-part2.diff
View File

@ -1,74 +0,0 @@
commit 24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf
Author: Stéphane Graber <stgraber@ubuntu.com>
Date: Tue Jan 7 16:12:03 2014 -0800
pam_loginuid: Ignore failure in user namespaces
When running pam_loginuid in a container using the user namespaces, even
uid 0 isn't allowed to set the loginuid property.
This change catches the EACCES from opening loginuid, checks if the user
is in the host namespace (by comparing the uid_map with the host's one)
and only if that's the case, sets rc to 1.
Should uid_map not exist or be unreadable for some reason, it'll be
assumed that the process is running on the host's namespace.
The initial reason behind this change was failure to ssh into an
unprivileged container (using a 3.13 kernel and current LXC) when using
a standard pam profile for sshd (which requires success from
pam_loginuid).
I believe this solution doesn't have any drawback and will allow people
to use unprivileged containers normally. An alternative would be to have
all distros set pam_loginuid as optional but that'd be bad for any of
the other potential failure case which people may care about.
There has also been some discussions to get some of the audit features
tied with the user namespaces but currently none of that has been merged
upstream and the currently proposed implementation doesn't cover
loginuid (nor is it clear how this should even work when loginuid is set
as immutable after initial write).
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
modules/pam_loginuid/pam_loginuid.c | 15 ++++++++++++++-
1 files changed, 14 insertions(+), 1 deletions(-)
---
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
index 96f8ffa..54ae6f0 100644
--- a/modules/pam_loginuid/pam_loginuid.c
+++ b/modules/pam_loginuid/pam_loginuid.c
@@ -55,13 +55,26 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
{
int fd, count, rc = PAM_SESSION_ERR;
char loginuid[24], buf[24];
+ static const char host_uid_map[] = " 0 0 4294967295\n";
+ char uid_map[sizeof(host_uid_map)];
count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
if (errno == ENOENT) {
rc = PAM_IGNORE;
- } else {
+ } else if (errno == EACCES) {
+ fd = open("/proc/self/uid_map", O_RDONLY);
+ if (fd >= 0) {
+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
+ if (strncmp(uid_map, host_uid_map, count) != 0)
+ rc = PAM_IGNORE;
+ close(fd);
+ }
+ if (rc != PAM_IGNORE)
+ errno = EACCES;
+ }
+ if (rc != PAM_IGNORE) {
pam_syslog(pamh, LOG_ERR,
"Cannot open /proc/self/loginuid: %m");
}
_______________________________________________
linux-pam-commits mailing list
linux-pam-commits@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits